Use v2 capabilities in layer archives

[EricMountain]

- What I did

Fixes #41723

When building images in a user-namespaced container, v3 capabilities are
stored including the root UID of the creator of the user-namespace.

This UID does not make sense outside the build environment however. If
the image is run in a non-user-namespaced runtime, or if a user-namespaced
runtime uses a different UID, the capabilities requested by the effective
bit will not be honoured by execve(2) due to this mismatch.

Instead, we convert v3 capabilities to v2, dropping the root UID on the
fly.

- How I did it

Patched ReadSecurityXattrToTarHeader() to automatically convert v3 capabilities to v2 by switching the version identifier and dropping the root UID data.

- How to verify it

This reproducer can be used.

Compared with the output in issue #41723 this produces:

    default: + docker run --rm capabilities-built-with-no-userns:1.0 /bin/bash -c '(/usr/local/bin/sleep-test infinity & ); sleep 1; grep Cap /proc/$(pgrep sleep-test)/status'
    default: CapInh:	00000000a80425fb
    default: CapPrm:	0000000000000400
    default: CapEff:	0000000000000400
    default: CapBnd:	00000000a80425fb
    default: CapAmb:	0000000000000000
    default: + docker run --rm capabilities-built-with-userns:1.0 /bin/bash -c '(/usr/local/bin/sleep-test infinity & ); sleep 1; grep Cap /proc/$(pgrep sleep-test)/status'
    default: CapInh:	00000000a80425fb
    default: CapPrm:	0000000000000400
    default: CapEff:	0000000000000400
    default: CapBnd:	00000000a80425fb
    default: CapAmb:	0000000000000000

So we see that in the 2nd case also execve(2) honoured the effective bit.

- Description for the changelog

Capabilities in image layers are stored in v2 format even when built inside a non-root user-namespace.

- A picture of a cute animal (not mandatory but encouraged)

[justincormack]

Hi, I would rather this went via buildkit first as that is where we are doing the work in build. We might port it to the legacy builder, but this is not where we are largely doing build development work.

[EricMountain]

@justincormack , thanks I'll take a look. Would you be able to point me to where in buildkit this should go?

Trying to get to grips with the buildkit code: IIUC buildkit leverages containerd to write out image layers, correct? Would this be the right place to make the equivalent change?

[EricMountain]

@justincormack I've come to realise BuildKit is using the same block of code to build the tarballs, so this PR is also the fix for BuildKit. Or am I missing something?

[thaJeztah]

@tonistiigi PTAL

[AkihiroSuda]

Could you add integration tests?

[thaJeztah]

@dmcgowan @estesp would containerd's archive package also need similar changes? https://github.com/containerd/containerd/tree/master/archive

[EricMountain]

@AkihiroSuda is there an image I can use in the integration tests that would support the getcap -n option? I checked debian:buster, one of the frozen images already used in integration tests, however it doesn't support -n.

I might be able to get away without this, however it would be a lot uglier: basically setcap in a build, then tar the file in a run (hoping debian:buster tar knows about serialising security.capabibilities) and check the version in the serialised data.

[thaJeztah]

Alpine's libcap looks to have it, but don't think we include it in the frozen images.

[EricMountain]

@thaJeztah in integration tests, are we supposed to use only the frozen images, or is it considered OK to use e.g. Alpine for cases such as this? From what I've seen, integration tests only use scratch or frozen images, so my guess was I'm not supposed to use anything else.

And if I should only use frozen images, would it be acceptable for me to add Alpine to the list?

[EricMountain]

Integration test implemented in #41740. Switching this PR to draft for now as it will require an update to the test once that has merged.

[EricMountain]

Test in #41740 merged, the fix is now ready for review.

[EricMountain]

Hi @thaJeztah , @AkihiroSuda might I get a review now the integration test PR has merged? Thanks!

[thaJeztah]

LGTM

ping @AkihiroSuda @tonistiigi PTAL

[thaJeztah]

do we need similar changes in containerd as well, @AkihiroSuda ?

[AkihiroSuda]

do we need similar changes in containerd as well, @AkihiroSuda ?

Better to have, but not urgent

[thaJeztah]

do we need similar changes in containerd as well, @AkihiroSuda ?

Better to have, but not urgent

@EricMountain perhaps you're interested in contributing to containerd as well? (Or to open a tracking issue, describing the problem)?

[EricMountain]

@EricMountain perhaps you're interested in contributing to containerd as well? (Or to open a tracking issue, describing the problem)?

@thaJeztah sure, I'll take a look.

[tonistiigi]

@AkihiroSuda Do we need to cherry-pick this? Is this breaking existing users? Should we strip to v3 part on extraction if it is node specific.

[thaJeztah]

@AkihiroSuda ^ could you have a look?

[AkihiroSuda]

Seems safe to cherry-pick, but if we can have v21.xx soon, I guess cherry-picking is not necessary.

[AkihiroSuda]

Cherry-picked as #42352